![Page 1: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/1.jpg)
BGP Safety with Spurious Updates
Martin Suchara
in collaboration with:Alex Fabrikant and
Jennifer Rexford
IEEE INFOCOMApril 14, 2011
![Page 2: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/2.jpg)
2
The Border Gateway Protocol (BGP) BGP calculates paths to each address prefix
Each Autonomous System (AS) implements its own custom policies
Can prefer an arbitrary path
Can export the path to a subset of neighbors
Prefix d
Data traffic
“I can reach
d via AS 1”44
55
33
“I can reach d” 11
22“I can reach
d via AS 1”
![Page 3: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/3.jpg)
3
BGP Safety Challenges 35,000 ASes and 300,000 address blocks
Routing convergence usually takes minutes
But the system does not always converge…
0
1 2
d
Prefer 120 to 10
Prefer 210 to 20
Use 20Use 10Use 120
Use 210
![Page 4: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/4.jpg)
4
Results on BGP Safety
Necessary or sufficient conditions of safety (Gao and Rexford, 2001), (Gao, Griffin and Rexford, 2001), (Griffin, Jaggard and Ramachandran, 2003), (Feamster, Johari and Balakrishnan, 2005), (Sobrinho, 2005), (Fabrikant and Papadimitriou, 2008), (Cittadini, Battista, Rimondini and Vissicchio, 2009), …
Absence of a “dispute wheel” sufficient for safety (Griffin, Shepherd, Wilfong, 2002)
Verifying safety is computationally hard (Fabrikant and Papadimitriou, 2008), (Cittadini, Chiesa, Battista and Vissicchio, 2011)
![Page 5: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/5.jpg)
5
Key Results Existing models of BGP do not capture
important transient phenomena
A new model of BGP Accurately capture the consequences of
transient phenomena on convergence Retain simplicity of previous models
More accurate model makes proofs easier!
![Page 6: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/6.jpg)
6
Overview
I. Classical model of BGP: the SPVP
III. The surprise: networks believed to be safe oscillate!
IV. Convergence conditions: polynomial time verifiable
V. Conclusion
II. Spurious BGP updates: what are they?
![Page 7: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/7.jpg)
7
Simple Path Vector Protocol (SPVP)Traditional BGP Model (Griffin and Wilfong, 2000)
12010ε
Permitted paths
Network topology
2
0
1
The higher the more preferred
21020ε
The destination
![Page 8: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/8.jpg)
8
Simple Path Vector Protocol (SPVP)Traditional BGP Model (Griffin and Wilfong, 2000)
12010ε
0
1
21020ε
Selected paths
2
![Page 9: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/9.jpg)
9
Simple Path Vector Protocol (SPVP)Traditional BGP Model (Griffin and Wilfong, 2000)
12010ε
0
21020ε
Activation21
Activation models the processing of BGP update messages sent by neighbors
![Page 10: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/10.jpg)
10
Simple Path Vector Protocol (SPVP)Traditional BGP Model (Griffin and Wilfong, 2000)
12010ε
0
21020ε
Switch to best available
2 Activation1
Activation models the processing of BGP update messages sent by neighbors
![Page 11: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/11.jpg)
11
Simple Path Vector Protocol (SPVP)Traditional BGP Model (Griffin and Wilfong, 2000)
12010ε
0
21020ε
System is safe if all “fair” activation sequences lead to a stable path assignment
Switch to best available
2 Activation1
![Page 12: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/12.jpg)
12
Overview
I. Classical model of BGP: the SPVP
III. The surprise: networks believed to be safe oscillate!
IV. Convergence conditions: polynomial time verifiable
V. Conclusion
II. Spurious BGP updates: what are they?
![Page 13: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/13.jpg)
13
What are Spurious Updates? A phenomenon: router announces a route
other than the highest ranked one
Spurious BGP update 230:
Selected path: 20
Behavior not allowed in SPVP
0
1 2
3
123010
30
21020230
230
![Page 14: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/14.jpg)
14
What Causes Spurious Updates?
1. Limited visibility to improve scalability Internal structure of ASes Cluster-based router architectures
2. Timers and delays to prevent instabilities and reduce overhead Route flap damping Minimal Route Advertisement Interval timer Grouping updates to priority classes Finite size message queues in routers
![Page 15: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/15.jpg)
15
DPVP– A More General Model of BGP DPVP = Dynamic Path Vector Protocol
Transient period τ after each route change Spurious updates with a less preferred
recently available route
Only allows the “right” kind of spurious updates Every spurious update has a cause in BGP General enough and future-proof
![Page 16: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/16.jpg)
16
DPVP– A More General Model of BGP
12010ε
The permitted paths and their ranking
2
0
1
20
21020ε
Spurious update
Selected path: 210
Spurious updates are allowed only if current time < StableTime
Spurious updates may include paths that were recently available or the empty path
Remember all recently available paths (e.g. 20, 210)
StableTime = τ after last path change
![Page 17: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/17.jpg)
17
Overview
I. Classical model of BGP: the SPVP
III. The surprise: networks believed to be safe oscillate!
IV. Convergence conditions: polynomial time verifiable
V. Conclusion
II. Spurious BGP updates: what are they?
![Page 18: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/18.jpg)
18
Consequences of Spurious Updates Spurious behavior is temporary, can it have
long-term consequences?
Yes, it may trigger oscillations in otherwise safe configurations!
![Page 19: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/19.jpg)
19
The Surprise: Spurious Announcements Trigger Permanent Oscillations!
Stable because node 3 cannot use route 30
Safe instance in all classical models of routing:
13010
21020
321032030
1
3
0
2
Stable outcome
![Page 20: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/20.jpg)
20
The Surprise: Spurious Announcements Trigger Permanent Oscillations!
Can be caused by route flap damping
Oscillates if node 3 announces route 30
13010
21020
321032030
1
3
0
2
Spurious update 30
![Page 21: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/21.jpg)
21
Some Results No Longer Hold Absence of a “dispute reel” necessary and
sufficient for safety under filtering in SPVP (Cittadini et al., 2009)
Our result: permanent oscillations in DPVP even without a reel
Linear time convergence of BGP (Sami et al., 2009)
Our result: exponential slowdown
![Page 22: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/22.jpg)
22
Overview
I. Classical model of BGP: the SPVP
III. The surprise: networks believed to be safe oscillate!
IV. Convergence conditions: polynomial time verifiable
V. Conclusion
II. Spurious BGP updates: what are they?
![Page 23: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/23.jpg)
23
Convergence Conditions
Absence of a “dispute wheel” is still sufficient for safety in DPVP Most of the previous results of the past
decade still hold under DPVP!
Absence of a “dispute wheel” sufficient for safety in SPVP (Griffin, Shepherd, Wilfong, 2002)
One of the most cited results
![Page 24: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/24.jpg)
24
DPVP Makes Analysis Easier No need to prove that:
Announced route is the highest ranked one Announced route is the last one learned from
the downstream neighbor
We changed the problem PSPACE complete vs. NP complete
![Page 25: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/25.jpg)
25
Necessary and Sufficient Conditions How can we prove a system may oscillate?
Classify each node as “stable” or “coy” At least one “coy” node exists Prove that “stable” nodes must be stable Prove that “coy” nodes may oscillate
Easy in a model with spurious announcements
![Page 26: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/26.jpg)
26
Necessary and Sufficient Conditions
Coy nodes may make spurious announcements
Stable nodes have a permanent path
Theorem: DPVP oscillates if and only if it has a CoyOTE
Definition: CoyOTE is a triple (C, S, Π) satisfying several conditions
One path assigned to each node proves if the node is coy or stable
0
1 2
3
123010
30
21020230
![Page 27: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/27.jpg)
Verifying the Convergence Conditions = Finding a CoyOTE In general an NP-hard problem
Can be checked in polynomial time for most “reasonable” network configurations!
27
(i) filter paths violating business relationships
(ii) prefer paths not containing certain AS numbers
(iii) prefer paths from certain groups of neighbors
(iv) prefer shorter paths over longer ones
(v) prefer paths from a lowest AS number neighbor
e.g.
![Page 28: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/28.jpg)
28
DeCoy – Safety Verification Algorithm Goal: verify safety in polynomial time
Key observation: greedy algorithm works!
1. Let the origin be in the stable set S
2. Keep expanding the stable set S until stuck
If all nodes become stable system is safe
Otherwise system can oscillate
![Page 29: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/29.jpg)
29
Overview
I. Classical model of BGP: the SPVP
III. The surprise: networks believed to be safe oscillate!
IV. Convergence conditions: polynomial time verifiable
V. Conclusion
II. Spurious BGP updates: what are they?
![Page 30: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/30.jpg)
30
Conclusion DPVP: best of both worlds
More accurate model of BGP Model simplifies theoretical analysis
Key results(i) Spurious announcements are real
(ii) Safe instances in SPVP may oscillate in DPVP
(iii) No dispute wheel → safety
(iv) Necessary and sufficient conditions of convergence, can be found in
polynomial time
![Page 31: BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d2c5503460f94a02ff6/html5/thumbnails/31.jpg)
31
Thank You!